Recognize & Report Phishing in Outlook

Overview

Phishing is a type of scam where attackers pretend to be trusted sources (such as your bank, Microsoft, or your university) to trick you into sharing passwords, downloading malware, or sending money. These messages often look convincing but contain subtle red flags.

This article shows you how to spot suspicious emails and quickly report them in Outlook so our security team can protect you and others.

Common signs of a phishing message

Look out for one or more of the following:

  • Messages that spoof someone in authority (e.g., the President or a Department Chair) and ask you to share your cell number, text them at a specific phone number, purchase gift cards, or provide personal information.
  • Urgent or threatening language (for example, “Your account will be closed in 1 hour”).
  • Unexpected requests for passwords, MFA codes, gift cards, wire transfers, or personal information.
  • Mismatched or misleading sender addresses (hover or tap to see the real address).
  • Links that do not match the display text (hover to preview the true URL before clicking).
  • Attachments you did not expect (especially .HTML, .HTM, .ZIP, or .EXE).
  • Branding that looks incorrect (misspellings, poor formatting, generic greetings).

Examples of suspicious scenarios

  • “Payroll update required. Log in to keep your benefits.”
  • “You missed a voicemail. Download this attachment.”
  • “Urgent action: Verify your Microsoft 365 account now or it will be deleted.”
  • “Gift cards requested by a leader” asking you to purchase codes and reply with photos.

Safe link and attachment handling

  • Hover before you click (desktop or web): preview the URL and ensure it matches the expected domain.
  • Open attachments only when expected and only from known senders.
  • Be skeptical of shared document notifications that demand re authentication on unfamiliar pages.

Tip:

  1. When in doubt, do not click. Use official channels (for example, log in directly to the service via its bookmarked site) to verify.
  2. Be cautious of emails that originate outside of the Minnesota State System, as indicated by the external email banner.

Report message warning

How to report phishing in Outlook

Report phishing image

Outlook on the web (Outlook for Microsoft 365 in a browser)

  1. Open the suspected email (do not click links).
  2. Select More Actions (the ellipsis in the top right).
  3. Click Phishing.
  4. Confirm the report.

Outlook for Windows and Mac (desktop app)

  1. Select the suspected email.
  2. If you see a Report, Report Message, or Report Phishing button on the ribbon, choose Report Phishing.
  3. If you do not see it, right-click the message → Report or JunkPhishing (options vary by version).
  4. Confirm the report.

Outlook mobile (iOS/Android)

  • If you have a Report option in the message menu (three dots), choose Report Phishing.
  • If the option is not available in your app version, do not interact with the email. You can:
    • Move it to Junk, and
    • Report it using the desktop or web version when you are back at a computer.

Reporting helps improve organizational defenses and trains Microsoft filters to block similar messages.

What to do if you clicked a link or entered information

Please contact the TRC to schedule a brief meeting to review and complete the required security steps.

You may stop by the TRC in person or request a Zoom meeting during our regular hours:

  • By Phone: 507-537-6111 (preferred method of contact)
    • Fall & Spring Semester Hours
      • Monday – Thursday: 7:30am to 11pm
      • Friday: 7:30am to 6pm
      • Saturday: 10am to 5pm
      • Sunday: 12pm to 11pm
    • Summer Hours
      • Monday – Friday: 8AM to 4:30PM
  • By email: TRC@SMSU.edu
  • SMSU TDX client portal: Information Security Incident Report

Next Steps

  1. Disconnect from untrusted Wi-Fi.
  2. Change your StarID password immediately at https://starid.minnstate.edu/

FAQs

Q: Reporting vs. moving to Junk. What is the difference?
A: Moving to Junk teaches your mailbox about unwanted mail, but reporting phishing sends an alert that helps our security systems and Microsoft improve organization wide protection.

Q: I am not sure if it is phishing. Should I still report it?
A: Yes. It is better to report and let security review than to risk exposure.

Q: The sender looks like someone I know.
A: Attackers can spoof names. Always check the full email address and hover links.

For more information

Microsoft Support: Phishing and suspicious behavior in Outlook

Print Article

Related Services / Offerings (1)

Information Security Incident Report
Request immediate assistance in responding to an information security incident.